Hello everyone,

Like I was telling in the other thread Cluster Capacity - peak/concurrent connections we're facing some HUGE connections from time to time, and I'm in the process of identifying them.

So I worked a script, that gets triggered when the connection is HIGH - goes over the 150K that we defined as trigger.

[Expert@XxXx-FW01:0]# fw ctl pstat | grep Concurrent | awk '{print $3}'
97807
[Expert@XxXx-FW01:0]#

Now, when this gets triggered, we collect some reports, like the TOP x Sources HIT and TOP x Destinations HIT and from those TOP X, we're getting some additional reports on the first 3 IP's from each, in order to see what HUGE traffic happens against our appliances.

Now on the connections table, we currently use "fw tab -u -t connections -f" to get all sessions, but one of the problems is that this export and parse takes approx. 3-5 min or more. So I researched and ended up with "fw ctl conntab" that some state is better to use - as is more Human Readable format - and wayyy faster (under 30sec).  

What is unclear for me right now, are those two "fw tab -u -t connections -f" and "fw ctl conntab" showing same connections or there could be differences ?

Which one is better to use and report connections at a certain point and work with?

Also can someone clarify it contains the "fw ctl multik gconn", as if I address this table, I get other value for number of connections 🤔 .

Thank you,

PS: after I finish the script and have a final version, I'll share it....